Businesses Fail in Risk Modeling and Management: Report

  /     /     /  
Publicated : 22/11/2024   Category : security


Businesses Fail in Risk Modeling and Management: Report


Businesses struggle to quantify and manage risk, leading to wasted resources and oversight of major problems.



Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses dont know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.
All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.
The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25
th
percentile of scores were relatively low -- a sign risk management is immature overall.
Most cyber risk management programs are going through the motions on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of R&D at RiskLens. Its common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.
The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization, he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.
While compliance checklists arent harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.
One major weakness is a huge reliance on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of
survey
respondents claimed their Model Quality was Weak, as they rely on the intuition of risk practitioners to evaluate risk.
Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers, he continues. This affects prioritization and solution selection at both tactical and strategic levels.
Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem, says Jones.
Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.
Risk imperatives need to be placed on equal footing with other business objectives, he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.
Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.
Just because someone is a great auditor or security engineer doesnt qualify them to understand or measure risk reliably, Jones explains. Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models.
When businesses cant manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.
Related Content:
Top 8 Cybersecurity Skills IT Pros Need in 2018
Is Your Security Workflow Backwards?
Why Hackers Are in Such High Demand, and How Theyre Affecting Business Culture
Google Sheds Light on Data Encryption Practices

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Businesses Fail in Risk Modeling and Management: Report